oss-sec mailing list archives
Re: Re: CVE id request: php5
From: Joe Orton <jorton () redhat com>
Date: Thu, 29 Jan 2009 10:00:54 +0000
On Wed, Jan 28, 2009 at 02:00:42PM -0600, Raphael Geissert wrote:
Josh Bressers wrote: [...]I may be missing something here, but this looks like an issue where a bad script really needs to cause this. Wouldn't it be just as easy to for the script author to delete the file in question via a PHP script?No, please read carefully. If you have a script that doesn't do good input sanitation but takes a variable from the user's input and uses it as a key it will end up nuking the .ini file.
If the script is taking untrusted input data and passing it unsanitized as the "key" argument to a dba_replace() call, it can override arbitrary keys in the ini file anyway. Truncating the ini file to zero length seems like a less severe problem than being able to write (arbitrary?) data to arbitrary keys. Regards, Joe
Current thread:
- CVE id request: php5 Steffen Joeris (Jan 28)
- Re: CVE id request: php5 Josh Bressers (Jan 28)
- Re: CVE id request: php5 Raphael Geissert (Jan 28)
- Re: Re: CVE id request: php5 Joe Orton (Jan 29)
- Re: Re: CVE id request: php5 Steven M. Christey (Jan 29)
- Re: CVE id request: php5 Raphael Geissert (Jan 28)
- Re: CVE id request: php5 Josh Bressers (Jan 28)